Q1 


Q2 


Q3 


Q4 


We intend to revise the code to address the impact of changes in data protection 
legislation, where these changes are relevant to data sharing. What changes to the 
data protection legislation do you think we should focus on when updating the code? 


GDPR Article 11 - Processing (in particular data sharing) which does not require identification. GDPR 
Article 17 - Right to erasure ('right to be forgotten') and right to restriction of processing over data that has 
been shared with other data controllers or data processors. Mandate to seek and evidence a competent 
and independent data protection officer has been consulted. Art. 35 (4) — since the ICO shall establish 
when a DPIA is necessary — it would be helpful to make mandatory a DPIA when an ISA is required since 
both are likely to be needed when large scale of data is shared or when the sharing may result in a high 
risk to the rights and freedoms of the individuals. Intra information sharing (e.g. within the same 
organisation or companies within the same group). Guidance with differences between approaches such 
as MOUs, ISAs, data processor contracts or agreements, etc. New liabilities between data controllers and 
data processors. Are data sharing agreements required if a data processor contract is in place? In the 
end data sharing happens regardless if it is between data controllers (DCs) or data processors (DPs) —a 
pragmatic way to address the sharing with data processors would be to add elements of the information 
sharing agreement as an appendix to the commercial contract between the parties. In complex 
scenarios, where multiple parties share data in a wider data flow, it may be pragmatic to have in an ISA 
(Information Sharing Agreement) separate from any commercial contract, where it is documented how the 


Apart from recent changes to data protection legislation, are there other 
developments that are having an impact on your organisation’s data sharing practice 
that you would like us to address in the updated code? 


Yes 
go No 


Please specify 


It is i mportant to recognise the benefits of using health data and big data for the 
wider public benefit, such as finding innovations and understanding better health and 
care. 


Does the 2011 data sharing code of practice strike the right balance between 
recognising the benefits of sharing personal data and the need to protect it? Please 
give details. 


0O Yes 
No 


Q5 In what ways does it achieve this? 


Q6 In what ways does it fail to strike the right balance? 


GDPR is more focused on the importance and benefits of sharing information and 
public benefit. 


Q7 


What types of data sharing (eg systematic, routine sharing or exceptional, ad hoc 
requests) are covered in too much detail in the 2011 code? 


There is not "too much" detail in the 2011 code. 


Q8 What types of data sharing (eg systematic, routine sharing or exceptional, ad hoc 
requests) are not covered in enough detail in the 2011 code? 
It would be benefitial to add other types of data sharing, e.g. between data 
controlles, between DCs and Data Processors or between a combination of them. 
Q9 


Is the 2011 code relevant to the types of data sharing your organisation is involved 
in? If not, which additional areas should we cover? 


Yes. Some consideration of "intra data sharing" would be helpful - meaning sharing 
accross different areas of an organisations or within the same group/parthership. 
Clarity on when an MOU accross a partnership (or event e.g. the NHS) would be 
sufficient covering the governance of the sharing accross the partners as long as the 


details (what data, data flow, security measures etc.) is explored and documented in 
subsequent DPIAs and the IA Register etc. 


Q10 


Qil 


Q12 


Please provide details of any case studies or data sharing scenarios that you would 
like to see included in the updated code? 


It would be good to add examples where some groups of undertakings take a strong 
stand on their data controllership over the data, perhaps because of their historical 
stand or because they have strong professional bodies supporting their position. 
These kind of groups may have been traditionally reluctant to share data despite 
legislation may give specific powers (statue) to a public authority. Clarity on the 
role of the “main” data controller in this scenarios would be helpful. 


Is there anything the 2011 code does not cover that you think it should? Please 
provide details. 


GDPR Article 11 - Processing (in particular data sharing) which does not require 
identification. GDPR Article 17 - Right to erasure (‘right to be forgotten’) and right to 
restriction of processing over data that has been shared with other data controllers 
or data processors. Mandate to seek and evidence a competent and independent 
data protection officer has been consulted. Art. 35 (4) - since the ICO shall establish 
when a DPIA is necessary - it would be helpful to make mandatory a DPIA when an 
ISA is required since both are likely to be needed when large scale of data is shared 
or when the sharing may result in a high risk to the rights and freedoms of the 
individuals. Intra information sharing (e.g. within the same organisation or 
companies within the same group). Guidance with differences between approaches 
such as MOUs, ISAs, data processor contracts or agreements, etc. New liabilities 
between data controllers and data processors. Are data sharing agreements required 
if a data processor contract is in place? In the end data sharing happens regardless if 
it is between data controllers (DCs) or data processors (DPs) - a pragmatic way to 
address the sharing with data processors would be to add elements of the 


In what other ways do you think the 2011 code could be improved? 


Clarity on ISAs as a legal document and the balance in the language of ISAs (legal 
vs. practitioners) 


About you 


Q13 Are you answering these questions as: 
© A public sector worker? 
O A private sector worker? 
O A third or voluntary sector worker? 
O A member of the public 
O A representative of a trade association 
O A data subject 
O An ICO employee 


O Other 


Q1i4 Please specify 


Q15 Please provide more information about the type of organisation you work for, ie a 
bank, a housing association, a school. 


Scottish Government (Digital Health and Care) 


Q16 We may want to contact you about some of the points you have raised. If you are 
happy for us to do this please provide your email address: 


Thank you for taking the time to share your views and experience. 


